Closed Bug 1426312 Opened 2 years ago Closed 2 years ago

Assertion failure: aTiming.Duration().ref() >= zeroDuration (Iteration duration should be positive), at /builds/worker/workspace/build/src/dom/animation/AnimationEffectReadOnly.cpp:108

Categories

(Core :: DOM: Animation, defect, P2)

59 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 5572465c08a9.

OS|Linux|0.0.0 Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::AnimationEffectReadOnly::GetComputedTimingAt|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|117|0x0
0|1|libxul.so|mozilla::dom::AnimationEffectReadOnly::GetComputedTiming|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|273|0x13
0|2|libxul.so|mozilla::dom::AnimationEffectReadOnly::IsCurrent|hg:hg.mozilla.org/mozilla-central:dom/animation/AnimationEffectReadOnly.cpp:5572465c08a9|57|0x11
0|3|libxul.so|mozilla::dom::Animation::UpdateRelevance|hg:hg.mozilla.org/mozilla-central:dom/animation/Animation.h:5572465c08a9|278|0xa
0|4|libxul.so|mozilla::dom::KeyframeEffectReadOnly::SetAnimation|hg:hg.mozilla.org/mozilla-central:dom/animation/KeyframeEffectReadOnly.cpp:5572465c08a9|1814|0x10
0|5|libxul.so|mozilla::dom::Animation::SetEffectNoUpdate|hg:hg.mozilla.org/mozilla-central:dom/animation/Animation.cpp:5572465c08a9|183|0x18
0|6|libxul.so|nsAnimationManager::DoUpdateAnimations<ServoCSSAnimationBuilder>|hg:hg.mozilla.org/mozilla-central:layout/style/nsAnimationManager.cpp:5572465c08a9|651|0x14
0|7|libxul.so|nsAnimationManager::UpdateAnimations|hg:hg.mozilla.org/mozilla-central:layout/style/nsAnimationManager.cpp:5572465c08a9|1098|0x5
0|8|libxul.so|Gecko_UpdateAnimations|hg:hg.mozilla.org/mozilla-central:layout/style/ServoBindings.cpp:5572465c08a9|677|0x15
0|9|libxul.so|style::gecko::wrapper::{{impl}}::update_animations|hg:hg.mozilla.org/mozilla-central:servo/components/style/gecko/wrapper.rs:5572465c08a9|1333|0xf
0|10|libxul.so|style::context::{{impl}}::drop<style::gecko::wrapper::GeckoElement>|hg:hg.mozilla.org/mozilla-central:servo/components/style/context.rs:5572465c08a9|489|0x10
0|11|libxul.so|core::ptr::drop_in_place<style::context::ThreadLocalStyleContext<style::gecko::wrapper::GeckoElement>>|git:github.com/rust-lang/rust:src/libcore/ptr.rs:05e2e1c41414e8fc73d0f267ea8dab1a3eeeaa99|59|0x8
0|12|libxul.so|style::driver::traverse_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly>|hg:hg.mozilla.org/mozilla-central:servo/components/style/driver.rs:5572465c08a9|143|0x5
0|13|libxul.so|geckoservo::glue::traverse_subtree|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/glue.rs:5572465c08a9|273|0xb
0|14|libxul.so|geckoservo::glue::Servo_TraverseSubtree|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/glue.rs:5572465c08a9|340|0xe
0|15|libxul.so|mozilla::ServoStyleSet::StyleNewSubtree|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:5572465c08a9|1015|0x8
0|16|libxul.so|nsCSSFrameConstructor::ConstructDocElementFrame|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|2557|0x8
0|17|libxul.so|nsCSSFrameConstructor::ContentRangeInserted|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|7938|0xe
0|18|libxul.so|nsCSSFrameConstructor::ContentInserted|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:5572465c08a9|7815|0xf
0|19|libxul.so|mozilla::PresShell::Initialize|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:5572465c08a9|1780|0x13
0|20|libxul.so|nsContentSink::StartLayout|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentSink.cpp:5572465c08a9|1289|0x17
0|21|libxul.so|nsHtml5TreeOpExecutor::StartLayout|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|672|0xa
0|22|libxul.so|nsHtml5TreeOperation::Perform|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOperation.cpp:5572465c08a9|1219|0xb
0|23|libxul.so|nsHtml5TreeOpExecutor::RunFlushLoop|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|492|0x20
0|24|libxul.so|nsHtml5ExecutorReflusher::Run|hg:hg.mozilla.org/mozilla-central:parser/html/nsHtml5TreeOpExecutor.cpp:5572465c08a9|56|0xd
0|25|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:5572465c08a9|395|0x1c
0|26|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:5572465c08a9|1039|0x15
0|27|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:5572465c08a9|508|0x11
0|28|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5572465c08a9|97|0xa
0|29|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|326|0x17
0|30|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|319|0x8
0|31|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:5572465c08a9|157|0xd
0|32|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5572465c08a9|875|0x11
0|33|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5572465c08a9|269|0x5
0|34|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|326|0x17
0|35|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5572465c08a9|319|0x8
0|36|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:5572465c08a9|701|0x8
0|37|firefox|content_process_main|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:5572465c08a9|63|0x14
0|38|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:5572465c08a9|280|0x11
0|39|libc-2.23.so||||0x20830
0|40|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:5572465c08a9|165|0x5
Flags: in-testsuite?
Test case is as follows:

    <style>
      @keyframes a { }
      body { animation-name: a }
    </style>
    <script>
    try { document.styleSheets[0].insertRule("* { -webkit-animation: -7s }", false, null) } catch (e) {}
    </script>

Reproduces even after replacing '-webkit-animation' with 'animation'.

Does NOT reproduce with stylo disabled.

Inspecting this in a debugger reveals we have mActiveDuration of -7000000000. So it would seem something is going wrong at the parsing stage. We should have rejected that value straight out (the spec says, "A negative <time> is invalid."[1]).

We are using parse_non_negative as the parse method[2] but perhaps we fail to do that when parsing the shorthand?[3]

[1] https://drafts.csswg.org/css-animations/#animation-duration
[2] https://searchfox.org/mozilla-central/source/servo/components/style/properties/longhand/box.mako.rs#493
[3] https://searchfox.org/mozilla-central/source/servo/components/style/properties/shorthand/box.mako.rs#295
Keywords: regression
Priority: -- → P2
Yeah, this is stupid. Hiro just pointed me to this bug.

Test-case is:

<style>
  @keyframes a { }
  * { animation: a -7s }
</style>
Assignee: nobody → emilio
Comment on attachment 8938258 [details]
Bug 1426312: Make sure to honor parse_method in transition and animation shorthands.

https://reviewboard.mozilla.org/r/209022/#review214704
Attachment #8938258 - Flags: review?(bbirtles) → review+
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/28f5cfda3e9a
Make sure to honor parse_method in transition and animation shorthands. r=birtles
https://hg.mozilla.org/mozilla-central/rev/28f5cfda3e9a
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.